Next year, all 13,000 RIAs that custody client assets with Charles Schwab must have insurance that covers errors and omissions and cybersecurity threats, a new mandate to protect Schwab, RIAs and investors. Policies must have at least $1 million of coverage, according to a written statement sent to RIA Intel.
The insurance Schwab is requiring must cover social engineering, theft by hackers, and theft by employees, a move prompted in large part by rising growth in the RIA industry and increasing industry fraud, cybercrime, and trading volatility. To cover those things, RIAs need to either add a cybersecurity-specific endorsement to their errors and omissions, or E&O, insurance or purchase a separate cybersecurity policy.
RIAs that currently custody with Schwab and do not already have the insurance coverage will be required to get it sometime in the coming year, a representative for Schwab said. The same representative declined to specify when exactly RIAs will need to be covered. RIAs new to Schwab will have 90 days within signing their service agreement to acquire the mandated coverage.
Any TD Ameritrade RIA will need to have the insurance as they transition to Schwab’s platform, a representative for Schwab told RIA Intel in an email.
RIABiz first reported Schwab’s new insurance requirements Thursday evening.
Just 76 percent of RIAs have cybersecurity insurance, according to Schwab’s 2021 RIA Benchmarking study, which surveyed 1,340 advisory firms managing more than $1.5 trillion in aggregate.
“Independent advisors have been growing quickly, and while this growth and success is overwhelmingly positive for investors and RIAs alike, it does bring increased operational risks as firms expand and day-to-day operations become more complex,” Ian Muir, managing director of advisor controls and trading at Schwab Advisor Services, said in a written statement.
[Like this article? Subscribe to RIA Intel’s’ thrice-weekly newsletter.]
In June of 2020, the Department of Justice approved Schwab’s acquisition of TD Ameritrade for $26 billion, bringing TD Ameritrade’s 6,000 advisors underneath the umbrella of one of the largest financial services companies in the world.
As companies grow, so do liabilities.
“This complexity, combined with rising industry fraud, cybercrime, and trading volatility, means it is critical for advisors to evaluate how well their firm is protected. Schwab believes that insurance is a vital component to managing risk at Schwab and in advisors’ businesses and is consistent with the commitment to being a fiduciary for clients,” Muir said.
Requiring this type of coverage protects both the company and their advisors in the event of a company-wide breach, according to Nick Weiner, program executive at insurance brokerage Varney Agency, which has about 500 wealth management firms as clients.
“Let’s say the hackers find a backdoor way into all 13,000 of the RIAs,” Weiner said. “No company on the planet could purchase enough insurance that would cover that sort of a loss. That would just be catastrophic.”
However, basic E&O insurance offered by most companies won’t include cybersecurity, Weiner said.
Cybersecurity policies typically cover things like funds transfer fraud, ransomware protection, credit monitoring for affected clients, and forensics investigations to help them through a cyber breach.
However, anything that falls under cybercrime, such as a phishing-related incident, theft by a hacker, or theft by an employee, which is also required by Schwab, may not be covered.
“Within an E&O insurance policy, theft is always excluded. Always. The only way to cover theft or crime is another term used in the industry, is through a specific crime coverage,” Weiner said.
Weiner recommends RIAs purchase two separate insurances, one that covers E&O and one that covers cybersecurity and crime. The cost of two separate policies is roughly the same as adding a cybersecurity endorsement to an existing E&O policy. Two policies also mean double the liability coverage.
“You’re paying about the same to have it endorsed on, but you’re not getting separate limits. So, what you’re doing now is you’re sharing the million dollars for your E&O policy, but you’re sharing it and opening it up to cyber exposures,” Weiner said.
The cost of insurance depends on the size of the firm, the number of clients, annual revenue, the limits of the claim, and the providers selected. RIAs spend 0.7 percent of annual revenue on insurance, according to the annual Schwab Benchmarking study.
Weiner said the starting price for cyber coverage with a crime component is around $1200 a year and which will go up based on certain rating factors like the number of employees and annual revenue.
At an RIA managing under $75 million in assets, $1 million in E&O coverage, with a $10,000 deductible, would cost a base premium of about $5,600, according to Weiner. The same policy for a company with $100 million under management can expect their premium to start around $6,900.
Weiner said three years ago only about 25 percent of his clients purchased standalone E&O and standalone cybersecurity insurance. Today 100 percent of his clients have a standalone policy for each one.
Two factors have led to the growth, he said. More insurance companies are offering cybersecurity policies and the increased competition has driven down prices, leading more RIAs to purchase it. Meanwhile, more advisors are also recognizing that cyber risk is real.
“You could do all the education in the world for your employees. You can have all the best security, but when it comes to software and things like that, if it can be built, it can be broken down,” Weiner said.
Clarification: This story was updated to clarify what type of insurance policies or coverage Schwab will require RIAs to have. Schwab is not explicitly requiring RIAs to have a standalone cybersecurity insurance policy. It is requiring certain coverage that can be achieved through endorsements and or standalone insurance policies.
Holly Deaton (@HollyLDeaton) is a staff writer at RIA Intel and based in New York City.